From owner-freebsd-security  Wed Oct  9 14:50:24 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6342537B401
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 14:50:23 -0700 (PDT)
Received: from fubar.adept.org (fubar.adept.org [63.147.172.249])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2A64B43E4A
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 14:50:23 -0700 (PDT)
	(envelope-from mike@adept.org)
Received: by fubar.adept.org (Postfix, from userid 1001)
	id A77DA154D5; Wed,  9 Oct 2002 14:47:01 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by fubar.adept.org (Postfix) with ESMTP id A5393154D3
	for <security@FreeBSD.ORG>; Wed,  9 Oct 2002 14:47:01 -0700 (PDT)
Date: Wed, 9 Oct 2002 14:47:01 -0700 (PDT)
From: Mike Hoskins <mike@adept.org>
To: security@FreeBSD.ORG
Subject: Re: md5 checksum server
In-Reply-To: <20021009142623.Q88247-100000@fubar.adept.org>
Message-ID: <20021009144421.B88247-100000@fubar.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, 9 Oct 2002, Mike Hoskins wrote:
> As for how useful this really is...  Well, is it any harder to grab the
> MD5 sum from the vendor and compare yourself vs. doing a DNS lookup?
> Probably not.  Also, while the vendor sites/sums can certainly be
> compromised, some would argue adding a third-party source for the sums
> just creates another attack vector.

As an aside, what if someone worked up a standard/RFC detailing accepted
naming conventions for md5 sums.  If there was some standardization
(I.e. software.version.md5 in the same directory the distfile is retreived
from, many follow similar conventions already), then FTP clients
(including things like wget) could be modified to automagically compare
md5 sums on download when they exist.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message